Get more help

Threat behavior

Installation

This threat may drop copies of itself with different file names in the Windows system folder, for example:

<system folder>\shelldm.exe

<system folder>\xcllsx.exe

Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.

It creates entries in the system registry to ensure that its dropped copies run every time Windows starts: